06-26-2023 12:33 AM
I am following the URL below for ISE Hardening, but I am having trouble finding the settings to meet the following requirements.
<Requirement>
"Configure ACLs that require ISE PSN access to specific ports (8443, 8905, etc, versus ip or tcp any any)."
For IP, I can filter by Administration ==> Admin Access ==> Settings ==> Access ==>IP Access from the GUI, but I cannot specify even the Port number.
I tried to configure it with ACLs as described in the requirements, but the CLI did not appear to have ACL settings.
If anyone knows of a setting, either GUI or CLI, that would allow only a specific Port (a setting that meets the requirements), please let me know.
06-26-2023 05:53 AM
The only way I know of for restricting access to the ISE on a port or protocol basis is by placing a firewall or router with ZBFW between the admin PC and the ISE.
06-26-2023 06:20 PM
Hi @Marius Gunnerud
Thank you for your response.
Thank you for the very helpful information. Am I correct in assuming that ISE does not support Port-based ACLs?
06-27-2023 12:26 AM
This really depends on what you mean when you say "does not support Port-based ACLs". It does support port based ACLS for dACL that is pushed to switches to control access. But for management access to the ISE itself this is not supported within the ISE configuration. to restrict access to the ISE based on ports, you would need to use a firewall to perform this restriction.
06-26-2023 10:06 AM
Those ports would be used in the guest traffic flow, the 8443/tcp would be the default port for the guest portal, and the 8905/tcp port would be for client provisioning, so I agree with @Marius Gunnerud , that seems to be referred as a general rule in case there is a security device in between ISE and the endpoint, but I think @Jason Kunst can add more on this.
06-26-2023 06:25 PM
Thank you for your response.
This is the same additional question as above, but am I correct in assuming that Port-based ACLs are not supported by ISE itself?
We are currently configuring it in the relaying FW, but if it is supported in ISE itself, we may be pointed out to configure it, since double blocking is considered to be stronger security.
06-26-2023 06:53 PM - edited 06-26-2023 06:56 PM
Port based ACLs are supported but not the way you are trying between PSNs, when you configure dynamic ACL you can configure specific ports to permit or deny.
The example of best practices point you are referring to means be as precise as you can when configuring ACL.For example when you configure redirect ACL.
you can write option1 as
deny udp any eq bootpc <dhcp serverIP> eq bootps
deny udp any <dns server IP> eq domain
deny tcp any host <ISE SERVER(S) IP ADDRESS> eq 8443
permit tcp any any eq 443
permit tcp any any eq 80
Option 2
deny ip any <DHCP Server IP>
deny udp any any eq domain
deny ip any host <ISE SERVER(S) IP ADDRESS>
permit ip any any
both will work but option 1 is more precise, you should try to make it as precise as possible to get the job done.
06-26-2023 07:28 PM
Hi @ammahend
Thank you for your response.
I see that it is supported.
I just tried it and the command deny does not seem to exist in config mode.
Do you know what the command would be if we were to implement it from the CLI? Also, is it not possible to configure it in the GUI?
06-26-2023 08:20 PM - edited 06-26-2023 08:20 PM
if you don’t mind can you state clearly what is the end goal you are trying to achieve?
06-26-2023 09:11 PM
Hi @ammahend
Sorry for the lack of clarity.
Company policy requires the following requirements to be met by ISE, but I am being asked if the FW settings alone are sufficient security measures.
Even if we say that we are taking countermeasures with FW, we are making this inquiry because we have to explain the basis on which the FW countermeasures are sufficient.
If it is clear that ISE does not provide support, we can explain that the only way is to use FW countermeasures, but if they do provide support, we need to explain why we do not configure them.
06-27-2023 04:03 AM - edited 06-27-2023 04:05 AM
if you are trying to restrict communication between ise nodes then as Marius mentioned in beginning there has to be some firewall between nodes where you allow only port required for ise to communicate, here are the ports used between different nodes.
06-27-2023 04:24 AM
As already mentioned by the others, ISE doesn't support restricting the accesses to itself based on ports. The ports shown on the link you provided are used for the guest and client provisioning. There is no such thing on ISE to say allow accesses to port 8443 only from this subnet or IPs. This takes to @Marius Gunnerud original response, this could be done on a security device setting in the middle between the endpoints and ISE.
The downloadable ACLs (dACLs) are the access lists that you push to the network devices for enforcement, for example, if you are doing posture assessment you can push a dACL restricting the traffic to everything with the exception for a remediation portal where the non compliance endpoints could connect and download the latest antimalware patches, but again those won't be applied to the traffic destined to ISE itself.